Ephemera is a security-sensitive project. We take vulnerability reports seriously and appreciate responsible disclosure.

Only the latest released version is supported for security updates.

Please do not report security vulnerabilities through public issues.

Instead, use one of the following private disclosure methods:

• Email: security@keemail.me
• Or open a private security advisory via Codeberg (preferred when available)

When reporting, please include:

• A clear description of the issue
• Steps to reproduce (if applicable)
• Potential impact
• Any relevant logs or proof-of-concept

We aim to acknowledge reports within 72 hours.

• Vulnerabilities are reviewed and validated
• Fixes are developed and tested
• Coordinated disclosure is preferred
• Credit is given to reporters unless anonymity is requested